Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojan-spy.html smithfraud.c[CLOSED]


  • This topic is locked This topic is locked

#1
2nyce

2nyce

    Member

  • Member
  • PipPip
  • 38 posts
i'm having same problem can't get rid of this here's my hijackthis logLogfile of HijackThis v1.99.1
Scan saved at 1:09:38 PM, on 5/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.exe
C:\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\System32\paytime.exe
D:\WINDOWS\isrvs\desktop.exe
C:\Ares\Ares.exe
D:\WINDOWS\System32\paytime.exe
D:\Documents and Settings\Mike\Application Data\asms.exe
D:\WINDOWS\System32\m?config.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\System32\wpabaln.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\System32\wuauclt.exe
D:\DOCUMENTS AND SETTINGS\MIKE\DESKTOP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50162
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50162
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
F2 - REG:system.ini: Shell=Explorer.exe D:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll (file missing)
O2 - BHO: (no name) - {46223DAB-8130-F8B5-32B4-F10DFB86AC9A} - D:\WINDOWS\System32\obwblo.dll
O2 - BHO: CInterfaceObj Object - {58F07DD3-924D-4141-BC74-299F523A95F1} - D:\WINDOWS\pxwma.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - D:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: NavHelper Class - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - D:\Program Files\NavExcel\NavHelper\v2.0.4c\NHelper.dll
O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - D:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - D:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [Desktop Search] D:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] D:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Security iGuard] D:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [TBPS] D:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Tssa] D:\Documents and Settings\Mike\Application Data\asms.exe
O4 - HKCU\..\Run: [Kkocmw] D:\WINDOWS\System32\m?config.exe
O8 - Extra context menu item: &AOL Toolbar search - res://D:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://D:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {12914FDD-1B76-42D5-9B88-EF4311D6FFA6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {12914FDD-1B76-42D5-9B88-EF4311D6FFA6} - (no file) (HKCU)
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=2732
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - D:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - D:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi there,

I strongly suggest you print out next instructions, or save them in notepad, because you'll have a lot of steps to take (in the right order) and you also have to work in safe mode, so this page wouldn't be available then. It is also really important that you don't miss any step and perform everything in the right order, because this is with a reason!!!!

* Please set your system to show all files; please see here if you're unsure how to do this.

* Download and install CCleaner
Do not use it yet.

* Download Nail/Aurora Spyware Fix
Unzip/extract it.
Do not use it yet!

* Download ewido security suite here: http://www.ewido.net/en/download/
Install and update it. Don't let it scan yet!!

* Reboot into Safe Mode`:
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Open the nailfix-folder and doubleclick on nailfix.cmd. <== don't forget this step!!
Your taskbar and icons will disappear for a couple of seconds, that is normal.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

D:\WINDOWS\System32\paytime.exe
D:\Documents and Settings\Mike\Application Data\asms.exe
C:\Program Files\CxtPls <==folder
D:\Program Files\NavExcel <== folder
D:\Program Files\NavExcel Search Toolbar <== folder
D:\Program Files\Security iGuard <== folder
D:\PROGRAM FILES\Toolbar <== folder
D:\WINDOWS\delprot.ini
D:\WINDOWS\isrvs <== folder
D:\WINDOWS\system32\drivers\delprot.sys
D:\wp.exe
D:\wp.bmp
D:\bsw.exe
D:\WINDOWS\System32\wldr.dll

* Go to start > run and type: sc delete delprot

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50162
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50162
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
F2 - REG:system.ini: Shell=Explorer.exe D:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll (file missing)
O2 - BHO: (no name) - {46223DAB-8130-F8B5-32B4-F10DFB86AC9A} - D:\WINDOWS\System32\obwblo.dll
O2 - BHO: CInterfaceObj Object - {58F07DD3-924D-4141-BC74-299F523A95F1} - D:\WINDOWS\pxwma.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - D:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O2 - BHO: NavHelper Class - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - D:\Program Files\NavExcel\NavHelper\v2.0.4c\NHelper.dll
O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - D:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - D:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll
O4 - HKLM\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [Desktop Search] D:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] D:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Security iGuard] D:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [TBPS] D:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [ares] "C:\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [PayTime] D:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [Tssa] D:\Documents and Settings\Mike\Application Data\asms.exe
O4 - HKCU\..\Run: [Kkocmw] D:\WINDOWS\System32\m?config.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {12914FDD-1B76-42D5-9B88-EF4311D6FFA6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {12914FDD-1B76-42D5-9B88-EF4311D6FFA6} - (no file) (HKCU)
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 81.222.131.59
O15 - Trusted IP range: 81.222.131.59 (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=2732
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - D:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - D:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: drct16 - drct16.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.

* Run Ccleaner and click Run Cleaner (bottom right)

* Still in safe mode; Perform a full scan with ewido.
Let it delete everything it is finding.
When finished, you'll get the option to make a log.
Save this log, because I'll need that later.

* Reboot your system back to normal mode.

* Download http://metallica.gee...m/smitfraud.reg and save it on your desktop
Doubleclick on it and when it asks you if you want to add the content to the registry, click yes/ok.

* Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

* Download: http://www.mvps.org/.../DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Open notepad, copy and paste next content (bold) in it:

dir D:\WINDOWS\System32\m?config.exe /a h > files.txt
notepad files.txt


Save this as look.bat ,choose to save as *all files and save it to your desktop.
Doubleclick on it and notepad will open with some text in it.
Save this log files.txt on your desktop.

Download Findit
Unzip it to your desktop. Make sure the FindIt's.bat and XFind.com are together in the same UNZIPPED folder!
Disconnect from the internet, if you use an always on internet connection unplug it.
Let your PC be idle for 15 minutes !!

Doubleclick FindIt's.bat. When the scan is done, it will produce a log.
If you get an error while running Findit's similar like:
''D:\windows\system32\cmd.exe
D:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application..'

use next fix: http://www.visualtou...oads/xp_fix.exe and try findit's again.

Post that logfrom findit's in your next reply together with a fresh HijackThis log and the log from ewido + the log from look.bat (files.txt) and I'll take another look.
  • 0

#3
2nyce

2nyce

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
i don't how to view my hidden files where are they located? i know where there hidden i just can't view them to delete here's my new logLogfile of HijackThis v1.99.1
Scan saved at 2:40:59 PM, on 5/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
C:\iTunesHelper.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\The Cleaner\tca.exe
D:\Program Files\The Cleaner\tcm.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Ares\Ares.exe
D:\WINDOWS\System32\m?config.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\System32\wpabaln.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Mike\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tcactive] D:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] D:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [ares] "C:\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Kkocmw] D:\WINDOWS\System32\m?config.exe
O8 - Extra context menu item: &AOL Toolbar search - res://D:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://D:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

You still need to fix some items in hijackthis:

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKCU\..\Run: [Kkocmw] D:\WINDOWS\System32\m?config.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab


* Click on Fix Checked when finished and exit HijackThis.

Can you also give me the other logs I asked you?

-findit's
-ewido-log
-log from look.bat

Could you also find all the files I asked you to?
I thought I explained before how to show hidden files and folders though:

* Please set your system to show all files; please see here if you're unsure how to do this.


  • 0

#5
2nyce

2nyce

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:17:54 AM, 5/26/2005
+ Report-Checksum: 8A22E7CA

+ Date of database: 5/26/2005
+ Version of scan engine: v3.0

+ Duration: 23 min
+ Scanned Files: 14395
+ Speed: 10.33 Files/Second
+ Infected files: 7
+ Removed files: 7
+ Files put in quarantine: 7
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
D:\Documents and Settings\Mike\Cookies\mike@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\Documents and Settings\Mike\Cookies\mike@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\Documents and Settings\Mike\Cookies\mike@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\Documents and Settings\Mike\Cookies\mike@ping[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\Documents and Settings\Mike\Cookies\mike@search.msn[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\Documents and Settings\Mike\Cookies\mike@servedby.advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
D:\Documents and Settings\Mike\Cookies\mike@valueclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End@echo off
if exist %SystemDrive%\log.txt del %SystemDrive%\log.txt
cls
ver >>%SystemDrive%\log.txt
ECHO. | DATE | FIND /i "current">>%SystemDrive%\log.txt
echo PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. >>%SystemDrive%\log.txt


echo.»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»» >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
echo Diregard the parameters message.
echo This will take awhile, wait until a text opens.
echo Do nothing until the scan is complete please.

Xfind "Tlji7Mk" %WinDir%\System32\*.DLL /"* Todo " \ >>%SystemDrive%\log.txt
Xfind "Tlji7Mk" %WinDir%\System32\*.exe /"* Todo " \ >>%SystemDrive%\log.txt
Xfind ";2x(V]@BMD" %WinDir%\System32\*.DLL /"* Todo " \ >>%SystemDrive%\log.txt
Xfind ";2x(V]@BMD" %WinDir%\System32\*.exe /"* Todo " \ >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
Xfind "sYVLLSAKY" %WinDir%\System32\*.DLL /"* Todo " \ >>%SystemDrive%\log.txt
Xfind "sYVLLSAKY" %WinDir%\System32\*.exe /"* Todo " \ >>%SystemDrive%\log.txt

echo.»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»» >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
Xfind "aurora.exe" %WinDir%\System32\*.exe /"* aurora " \ >>%SystemDrive%\log.txt
Xfind "aurora.exe" %WinDir%\System\*.exe /"* aurora " \ >>%SystemDrive%\log.txt
Xfind "aurora.exe" %WinDir%\*.exe /"* aurora " \ >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
echo.»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» >>%SystemDrive%\log.txt
echo.Dont delete file's in the section without guidance>>%SystemDrive%\log.txt
echo.If any doubt back them up first>>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
Xfind "UPX!" %WinDir%\System32\*.exe /"* UPX! " \ >>%SystemDrive%\log.txt
Xfind "UPX!" %WinDir%\System\*.exe /"* UPX! " \ >>%SystemDrive%\log.txt
Xfind "UPX!" %WinDir%\*.exe /"* UPX! " \ >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
Xfind "ZepMon" %WinDir%\System32\*.dll /"* Sniffed " \ >>%SystemDrive%\log.txt
Xfind "ZepMon" %WinDir%\System\*.dll /"* Sniffed " \ >>%SystemDrive%\log.txt
echo »»»»» lagitamate file's can/will show in this section. >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
Xfind "UPX!" %WinDir%\System32\*.dll /"* UPX! " \ >>%SystemDrive%\log.txt
Xfind "UPX!" %WinDir%\System\*.dll /"* UPX! " \ >>%SystemDrive%\log.txt
Xfind "UPX!" %WinDir%\*.dll /"* UPX! " \ >>%SystemDrive%\log.txt
echo.»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» >>%SystemDrive%\log.txt

Xfind "buddy.exe" %WinDir%\System32\*.exe /"* buddy " \ >>%SystemDrive%\log.txt
Xfind "buddy.exe" %WinDir%\System\*.exe /"* buddy " \ >>%SystemDrive%\log.txt
Xfind "buddy.exe" %WinDir%\*.exe /"* buddy " \ >>%SystemDrive%\log.txt
Xfind "buddy.exe" %WinDir%\System32\*.dll /"* buddy " \ >>%SystemDrive%\log.txt
Xfind "buddy.exe" %WinDir%\System\*.dll /"* buddy " \ >>%SystemDrive%\log.txt
Xfind "buddy.exe" %WinDir%\*.dll /"* buddy " \ >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
echo.»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»» >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
Xfind "SAHAgent" %WinDir%\System32\*.exe /"* SAHAgent " \ >>%SystemDrive%\log.txt
Xfind "SAHAgent" %WinDir%\System\*.exe /"* SAHAgent " \ >>%SystemDrive%\log.txt
Xfind "SAHAgent" %WinDir%\*.exe /"* SAHAgent " \ >>%SystemDrive%\log.txt
Xfind "SAHAgent" %WinDir%\System32\*.ini /"* SAHAgent " \ >>%SystemDrive%\log.txt
Xfind "SAHAgent" %WinDir%\System\*.ini /"* SAHAgent " \ >>%SystemDrive%\log.txt
Xfind "SAHAgent" %WinDir%\*.ini /"* SAHAgent " \ >>%SystemDrive%\log.txt

echo.»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
Xfind "_rtneg3" %WinDir%\System32\*.exe /"* _rtneg3 " \ >>%SystemDrive%\log.txt
Xfind "_rtneg3" %WinDir%\System\*.exe /"* _rtneg3 " \ >>%SystemDrive%\log.txt
Xfind "_rtneg3" %WinDir%\*.exe /"* _rtneg3 " \ >>%SystemDrive%\log.txt
Xfind "_rtneg3" %WinDir%\System32\*.dll /"* _rtneg3 " \ >>%SystemDrive%\log.txt
Xfind "_rtneg3" %WinDir%\System\*.dll /"* _rtneg3 " \ >>%SystemDrive%\log.txt
Xfind "_rtneg3" %WinDir%\*.dll /"* _rtneg3 " \ >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
pause
echo »»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder. >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
dir %windir%\SYSTEM32\cache32_rtneg* /AD >>%SystemDrive%\log.txt
echo »»»»» Checking for SAHAgent ico files.>>%SystemDrive%\log.txt
dir %windir%\system32\*.ico >>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt
echo »»»»»»»»»»»»»»»»»»»»»»»».>>%SystemDrive%\log.txt
echo. >>%SystemDrive%\log.txt

winreg -v -t "HKEY_CURRENT_USER\Software\aurora" >>%SystemDrive%\log.txt
winreg -v -t "HKEY_CURRENT_USER\Software\Bolger" >>%SystemDrive%\log.txt
winreg -v -t "HKEY_CURRENT_USER\Software\ceres" >>%SystemDrive%\log.txt
winreg -v -t "HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj" >>%SystemDrive%\log.txt
winreg -v -t "HKEY_CLASSES_ROOT\mfiltis" >>%SystemDrive%\log.txt
winreg -v -t "HKEY_CURRENT_USER\Software\_rtneg3" >>%SystemDrive%\log.txt
winreg -v -t "HKEY_CLASSES_ROOT\trfdsk.amo" >>%SystemDrive%\log.txt
winreg -v -t "HKEY_CLASSES_ROOT\trfdsk.amo.1" >>%SystemDrive%\log.txt
winreg -v -t "HKEY_CLASSES_ROOT\trfdsk.iiittt" >>%SystemDrive%\log.txt
winreg -v -t "HKEY_CLASSES_ROOT\trfdsk.iiittt.1" >>%SystemDrive%\log.txt
winreg -v -t "HKEY_CLASSES_ROOT\trfdsk.momo" >>%SystemDrive%\log.txt
winreg -v -t "HKEY_CLASSES_ROOT\trfdsk.momo.1" >>%SystemDrive%\log.txt
winreg -v -t "HKEY_CLASSES_ROOT\trfdsk.ohb" >>%SystemDrive%\log.txt
winreg -v -t "HKEY_CLASSES_ROOT\trfdsk.ohb.1" >>%SystemDrive%\log.txt
winreg -v -t "HKEY_LOCAL_MACHINE\SOFTWARE\System Updater" >>%SystemDrive%\log.txt
winreg -v -t "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID" >>%SystemDrive%\log.txt
winreg -v -t "HKEY_CLASSES_ROOT\CLSID\{302A3240-4805-4a34-97D7-1645A0B08410}" >>%SystemDrive%\log.txt
winreg -v -t "HKEY_CLASSES_ROOT\CLSID\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}" >>%SystemDrive%\log.txt
winreg -v -t "HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}" >>%SystemDrive%\log.txt
winreg -v -t "HKEY_CLASSES_ROOT\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}" >>%SystemDrive%\log.txt
winreg -v -t "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon" >>%SystemDrive%\log.txt
winreg -v -t "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon" >>%SystemDrive%\log.txt
winreg -v -t "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon" >>%SystemDrive%\log.txt



notepad.exe %SystemDrive%\log.txt

echo Finished!!
:last
  • 0

#6
2nyce

2nyce

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Volume in drive D has no label.
Volume Serial Number is B047-94FA

Directory of D:\WINDOWS\System32

05/17/2005 06:58 AM 430,080 m?config.exe
1 File(s) 430,080 bytes

Directory of D:\Documents and Settings\Mike\Desktop
  • 0

#7
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
2nyce,

you need to doubleclick on findit's.bat, not rightclick and copy and paste the contents of it.
If you doubleclick on findit's.bat, it will scan for a while and it will open notepad afterwards with some txt in it. That is what I need!
Do you get an error while you run it? Please tell me -- that's important.

In a meanwhile, search for and delete m?config.exe in your D:\Windows\system32-folder. Where the ? is present, there will be a letter instead, so you wont find it with the questionmark in it.
Please don't delete msconfig.exe that is present in any other folder than the system32-folder!! Because that are legit ones.
The bad one you have to search for will have probably no icon. If you rightclick on it and choose properties, the date is 05/17/2005 and filesize +/- 430kb.
Please make sure you don't delete aby other ones!!

Edited by miekiemoes, 26 May 2005 - 08:16 AM.

  • 0

#8
2nyce

2nyce

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
the blue screen fo death is gone and i got my desktop back i hope the trojan is gone with it thanks
  • 0

#9
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
2nyce, can you please follow my steps as I asked you to?
Maybe it seems to be solved, but I'm pretty sure some files are still present there, that really needs to go, so can you post the log from findit's please?

did you also delete that file I asked you in my previous post?
  • 0

#10
2nyce

2nyce

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
i couldn't find that filem?config.exe in your D:\Windows\system32 and i think i deleted msconfig.exe file and when i click on findit's.bat i did recieve an error
  • 0

Advertisements


#11
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Can you doubleclick look.bat again and post the log here?
Let's see what you deleted.

About the error of findit's.. I already told you this:

Doubleclick FindIt's.bat. When the scan is done, it will produce a log.
If you get an error while running Findit's similar like:
''D:\windows\system32\cmd.exe
D:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application..'

use next fix: http://www.visualtou...oads/xp_fix.exe and try findit's again.

Post that logfrom findit's in your next reply together with a fresh HijackThis log and the log from ewido + the log from look.bat (files.txt) and I'll take another look.


I'm asking you things with a reason, I write it down here to help you. So, that's why it is also important your read it. And if you don't understand something, just ask. :tazz:
  • 0

#12
2nyce

2nyce

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
i'm still have that error when trying to run look.bat does it supposed to be a black screen command?
  • 0

#13
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
2nyce, yes, it is supposed to be a black screen command.
I think you are mixing up two different things here.
look.bat and findit's.bat are two different searchtools.

So, I'm going to ask you this step by step...

Please doubleclick look.bat (this is NOT findit's.bat, that's something else)
Notepad will open with some txt in it.
Copy and paste this in your next reply.
  • 0

#14
2nyce

2nyce

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Volume in drive D has no label.
Volume Serial Number is B047-94FA

Directory of D:\WINDOWS\System32

05/17/2005 06:58 AM 430,080 m?config.exe
1 File(s) 430,080 bytes

Directory of D:\Documents and Settings\Mike\Desktop
  • 0

#15
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Well, yes, in that case -- I think you really deleted the legit msconfig.exe instead of the bad one. I was very clear in here though:

In a meanwhile, search for and delete m?config.exe in your D:\Windows\system32-folder. Where the ? is present, there will be a letter instead, so you wont find it with the questionmark in it.
Please don't delete msconfig.exe that is present in any other folder than the system32-folder!! Because that are legit ones.
The bad one you have to search for will have probably no icon. If you rightclick on it and choose properties, the date is 05/17/2005 and filesize +/- 430kb.
Please make sure you don't delete aby other ones!!


That is why it is so important you really really read my posts very carefully, because this is with a reason!!

Now please delete the bad m?config.exe that is still present in your system32-folder. (DON'T SEARCH in any other folder than your system32-folder, NO SUBFOLDERS either to delete that m?config.exe!!

When finished, open notepad again and copy and paste next bold in it:

dir D:\msconfig.exe /a h /s > look2.txt
notepad look2.txt


save this as look2.bat , choose to save as *all files and place it on your desktop. Doubleclick on look2.bat.
Notepad will open with some txt in it. Copy and paste this in your next reply.

Edited by miekiemoes, 28 May 2005 - 07:53 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP